deps(frontend): bump vite from 7.3.1 to 8.0.1 in /frontend

AGENTS.md

@@ -235,7 +235,7 @@ docker compose logs prefixd   # View daemon logs
 
 Services: nginx (80), prefixd (8080), dashboard (3000), postgres (5432), gobgp (50051/179), prometheus (9091), grafana (3001)
 
-## Current State (v0.14.0)
+## Current State (v0.14.1)
 
 Completed:
 - HTTP API with mode-aware auth and rate limiting

CHANGELOG.md

@@ -5,6 +5,30 @@ All notable changes to prefixd will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.14.1] - 2026-04-03
+
+### Fixed
+
+- **Prometheus metrics wired up** — All event, mitigation, announcement, reconciliation, guardrail, and BGP session metrics were defined but never incremented. Now properly instrumented across all handler and reconciliation paths. (contributed by @bswinnerton)
+- **ANNOUNCEMENTS_TOTAL label simplified** — Dropped unused `peer` label (handlers don't have peer context); ANNOUNCEMENTS_LATENCY changed from per-peer HistogramVec to a global Histogram
+- **MITIGATIONS_ACTIVE gauge accuracy** — Reconciliation loop now resets and recomputes the active mitigations gauge with correct `action_type` and `pop` labels each tick
+- **BGP_SESSION_UP gauge** — Now updated each reconciliation tick from actual peer session state
+
+### Changed
+
+- Bump uuid 1.21.0 → 1.22.0
+- Bump rustls 0.23.36 → 0.23.37
+- Bump ipnet 2.11.0 → 2.12.0
+- Bump @radix-ui/react-popover 1.1.4 → 1.1.15
+- Bump recharts 3.7.0 → 3.8.0
+- Bump picomatch 4.0.0 → 4.0.4
+
+### Security
+
+- **aws-lc-sys** — Updated 0.36.0 → 0.39.1 fixing CRL scope check logic error (RUSTSEC-2026-0048, high), PKCS7 signature validation bypass (RUSTSEC-2026-0047, high), PKCS7 cert chain bypass (RUSTSEC-2026-0046, high), AES-CCM timing side-channel (RUSTSEC-2026-0045, medium), X.509 name constraints bypass (RUSTSEC-2026-0044)
+- **rustls-webpki** — Updated 0.103.9 → 0.103.10 fixing CRL Distribution Point matching logic (RUSTSEC-2026-0049)
+- **picomatch** — Updated to 4.0.4 fixing ReDoS via extglob quantifiers (GHSA-c2c7-rcm5-vvqj, high) and method injection in POSIX character classes (GHSA-3v7f-55p6-f55p, moderate)
+
 ## [0.14.0] - 2026-03-20
 
 ### Added
@@ -826,6 +850,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Safelist prevents mitigation of protected infrastructure
 - Guardrails block overly broad mitigations
 
+[0.14.1]: https://github.com/lance0/prefixd/compare/v0.14.0...v0.14.1
 [0.14.0]: https://github.com/lance0/prefixd/compare/v0.13.0...v0.14.0
 [0.13.0]: https://github.com/lance0/prefixd/compare/v0.12.0...v0.13.0
 [0.12.0]: https://github.com/lance0/prefixd/compare/v0.11.0...v0.12.0

CONTRIBUTING.md

@@ -214,8 +214,8 @@ Releases are tagged from `main`:
 # Update version in Cargo.toml
 # Update CHANGELOG.md
 # Commit and tag
-git tag v0.14.0
-git push origin v0.14.0
+git tag v0.14.1
+git push origin v0.14.1
 ```
 
 CI builds and publishes:

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "prefixd"
-version = "0.14.0"
+version = "0.14.1"
 edition = "2024"
 rust-version = "1.85"
 description = "BGP FlowSpec routing policy daemon for DDoS mitigation"

FEATURES.md

@@ -641,7 +641,7 @@ All state-changing operations logged:
 ```json
 {
   "status": "ok",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "auth_mode": "none"
 }
 ```
@@ -651,7 +651,7 @@ All state-changing operations logged:
 ```json
 {
   "status": "ok",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "pop": "iad1",
   "uptime_seconds": 86400,
   "active_mitigations": 3,

README.md

@@ -69,7 +69,7 @@ docker compose ps
 
 # Test the API
 curl http://localhost/v1/health
-# {"status":"ok","version":"0.14.0","auth_mode":"none"}
+# {"status":"ok","version":"0.14.1","auth_mode":"none"}
 ```
 
 ### 4. Create an admin account
@@ -258,7 +258,7 @@ Database migrations run automatically on startup. See **[docs/upgrading.md](docs
 
 ## Project Status
 
-Current version: **v0.14.0**
+Current version: **v0.14.1**
 
 - Core functionality stable and tested
 - Real-time dashboard with WebSocket updates, toast notifications, and mitigation detail views

ROADMAP.md

@@ -4,7 +4,7 @@ What's next for prefixd.
 
 ---
 
-## Current Status: v0.14.0
+## Current Status: v0.14.1
 
 Core functionality is stable:
 

docs/api.md

@@ -1081,7 +1081,7 @@ Lightweight liveness check. No authentication required. Does not query database
 ```json
 {
   "status": "ok",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "auth_mode": "none"
 }
 ```
@@ -1106,7 +1106,7 @@ Full operational health. Requires authentication.
 ```json
 {
   "status": "healthy",
-  "version": "0.14.0",
+  "version": "0.14.1",
   "pop": "iad1",
   "uptime_seconds": 86400,
   "bgp_sessions": {

docs/benchmarks.md

@@ -1,6 +1,6 @@
 # Benchmark Results
 
-Last updated: v0.14.0
+Last updated: v0.14.1
 
 ## How to Run
 

docs/cli.md

@@ -52,7 +52,7 @@ prefixdctl -a http://127.0.0.1:8080 -t $TOKEN <command>
 prefixdctl status
 
 # Example output:
-# prefixd v0.14.0 (iad1)
+# prefixd v0.14.1 (iad1)
 # Status: healthy
 # Uptime: 2d 4h 30m
 # Active mitigations: 12

docs/deployment.md

@@ -756,7 +756,7 @@ groups:
 ```bash
 # Liveness check (public, lightweight - no DB/GoBGP calls)
 curl http://localhost/v1/health
-# Returns: {"status":"ok","version":"0.14.0","auth_mode":"none"}
+# Returns: {"status":"ok","version":"0.14.1","auth_mode":"none"}
 
 # Full operational health (authenticated)
 curl -H "Authorization: Bearer $TOKEN" http://localhost/v1/health/detail